Most impressive phishing simulation product?
Posted by That_Fixed_It@reddit | sysadmin | View on Reddit | 55 comments
We're on KnowBe4 right now. Some users will not do the training, so the simulated phishing messages are probably providing more value. They're too predictable though. The fake Teams invites all look the same. Many claim to come from the HR team, or from IT, or from the CEO, but we're small enough that everyone knows who the HR person is. The hackers will at least grab real names from LinkedIn.
Do you have to customize all your phishing templates? Are you seeing phishing messages that could fool you?
spoiler23@reddit
Try Mimecast Engage
CountGeoffrey@reddit
these are a complete waste of time. do the bare minimum to satisfy whomever is calling for this.
Intrepid_Stock1383@reddit
I had some good luck with, “Click here to see a cat riding a skateboard.”
Indiesol@reddit
"Some users will not do the training..."
Establish a policy, then if people don't do the training, they're breaching the policy and can be written up.
hops_on_hops@reddit
Nah. Written up is HR.
If they don't comply with IT policy, disable their access to IT systems.
TYGRDez@reddit
What do you do when the person who refuses to do the training, and has a 100% click rate on all of your simulated phishing emails, is the president of your company?
...asking for a friend 🙃
itishowitisanditbad@reddit
Inform the compliance officer in writing and sit back for approval in writing.
TYGRDez@reddit
Compliance officer! Hah, good one!
itishowitisanditbad@reddit
You have an actual 'President' of a company but no legal/compliance structure?
That seems... surprising?
I mean technically its not a protected term but it typically means they're covered by bylaws and empowered through an actual process/structure.
Guessing this is more a vibes-based 'president' title at a smaller than expected company?
Just never seen a real company with a 'president' that didn't either come with all the faff OR was just some solo 'entrepreneur CEO' with made up stuff.
Shiiiiiit I shouldn't assume.
Either way just fire off the email and sleep well knowing the legal implications are their problem anyway. You can't stop/save them from themselves.
TYGRDez@reddit
Basically. He founded the company, so he gave himself that title.
Approximately 350 employees, so yeah not huge... but big enough that he should really know better and give a little bit of a shit about cybersecurity
ThePodd222@reddit
Our managing partner clicked a ransomware link 🫠
toeonly@reddit
We locked one of the owners out for a while until she did the training.
Indiesol@reddit
Even better.
derfmcdoogal@reddit
I started catching more people when I defined the Manager->Employee relationship. This started sending emails appearing to be from their boss instead of just a generic HR@. Create custom templates.
I also started emailing quarterly reports of training completion to their managers. I've done what I can, it's up to their managers and HR to enforce.
That_Fixed_It@reddit (OP)
Thanks, I just did this.
ks724@reddit
Adaptive is working well for us so far.
That_Fixed_It@reddit (OP)
I'll try it
Mothringer@reddit
It’s worth remembering that the people who notice that predictability are the people who mostly don’t fall for phishing at all.
Jeff-J777@reddit
I know with KB4 I made a number of custom templates that are tailored to our business. But we also their AI to tailor phishing emails. The AI is not bad, hell I almost fell for a few myself. I use the AI templates that go out randomly to everyone over time. At times I get bored and I will make a company wide phish email and send it out.
A good idea is do a raffle for your local MLB, NBA, or NLF team giving away tickets and watch the fails climb. My first was a raffle for our local MLB team for opening day tickets I got almost half the company to fail.
ThePodd222@reddit
We got a surprising number of our users one December with an offer of a voucher for a free turkey.
deathhand@reddit
Banking or insurance. Probably midwest to the south.
That_Fixed_It@reddit (OP)
Do you mean the AI template selection feature? I tried that when I first configured it, but didn't like the results so I went to full random. Maybe I'll try it again. I wish the AI could customize the templates so I don't have to.
Jeff-J777@reddit
Yea, but I have a lot of different template topics set in my campaign and then for the difficulty rating I did the two highest options.
hops_on_hops@reddit
I think you might need to take a deeper look at your setup in Kbe4. We just upped our difficulty this year and I nearly feel for the phishing myself with an approval request from my correct manager.
That_Fixed_It@reddit (OP)
Ok, maybe I'll give it another chance.
LesPaulAce@reddit
I created an Inbox rule to delete anything with PHISHTEST or KNOWBE4 in the header.
I don’t accidentally click phish tests. I also never see assigned training. Way to go, KB4, you spammed yourself right out of my world.
If anyone from IT ever came to me and said “you need to do training”, maybe I’d do it, but if KB4 tells me, I’ll never see it.
That_Fixed_It@reddit (OP)
I'm not worried about the people who know how to check an email header. They can wait until IT talks to their manager, and then click through the 45 minute training and quizzes in 10 minutes.
geekworking@reddit
The other filter rule is recv header via https. KB4 has been bypassing SMTP entirely and injecting messages directly into inbox via the Gmail API. Haven't seen other platforms, but your platform has mailbox API then likely the same.
Auto delete. Done.
robotics500@reddit
i do the same. they all do it as well. i don't delete it but I do mark it as phishing with a category
Ams197624@reddit
We actually do this ourselves. Claim a domain, set up a quick fake website on that domain mildly touching what we actually do, and send mails coming from that domain. It's a bit of work (but AI web development is really helpful here).
Azadom@reddit
Here’s a story for you. I was working for a MSP and we used one of KB4’s canned emails. Well, a user didn’t like that email and reached out to the corporation which it impersonated. That corporation sent a threatening email to us to not use their likeness in emails. We told KB4 and yeah… the big corporation got their way and effective security awareness trainings can’t be too real any more.
RadioactiveFruitCup@reddit
Friend runs pen testing and is extremely jaded by how many companies want security but don’t want any human vector testing, especially on execs. Pretending to be the ceo emailing a call center agent is fine, but leaving the CFO an AI-cooked voicemail from an SRE is “too far” and “disruptive”. Just like nobody wants effective SEV1 failover testing. It’s all just play pretend.
FriendlyITGuy@reddit
Similar story. We had a large vet office as a client. We used random emails for all users on the phishing campaigns, and several of their users received emails from "HR" saying a puppy had been lost and was in the area of the building. Most of the vet staff cleared the building to go look for this non-existent puppy.
The practice owner was not very happy when he called our office.
ranhalt@reddit
You told the actual bad guys not to impersonate that company also, right?
Azadom@reddit
Somehow the lawyers couldn’t comprehend that
aes_gcm@reddit
The legal system is usually 20 years behind technology, so that checks out.
touchytypist@reddit
Want to have a high phishing failure rate, just make a sketchy looking email but say it’s for a free X. Tons of people will click it.
toeonly@reddit
I did free Xbox, playstation or switch emails, the switches did best.
itishowitisanditbad@reddit
Blank subject/body, random email.
employee_reviews_2026 attachment
33% click rate.
cool
toeonly@reddit
We use knowbe4 I just sent out one that was addressed to the CEO that appeared to be from the users manager with a link that said it was a spreadsheet of the teams pay. Now I have to do remedial training for a third of company.
hkusp45css@reddit
We use Abnormal and their phishing coach. It's fucking awesome compare the the years we had with KB$... I mean KB4
PM_ME_UR_BGP_PREFIX@reddit
To explain why - Abnormal analyzes users inboxes and customizes the phishing based on their profiles.
PhishAroundFindOut@reddit
Knowbe4 is no longer leading the SAT and Phishing industry; their content is extremely outdated, and you can see they come out with new features many months after the competitors have already had it. Checkout Adaptive, Caniphish, and Breach secure now.
Resident_Role_2815@reddit
You need to state your affiliation if you're going to shill. This guy must sell Adaptive and Caniphish because every comment in his history is about it. PhishAroundFindOut OK.
Working46168@reddit
Hey we are trying to reach you regarding Caniphish. Do you have a moment?
The_Struggle_Man@reddit
No personal experience using their product but my experience, any company that I tell no to, and they reach out to me on all my company means, then to my PERSONAL phone number, I'll never consider
Knowbe4, Datadog, Solarwinds,
To name a few...
ironmanbythirty@reddit
We’re a smaller organization (25-30 users) and have been happy with CanIPhish. Been using it for over a year and considering upgrading to Enterprise for some additional features
Generico300@reddit
If you're that worried about phishing, disable html in email. Can't click a link in plain text.
Otherwise, you should expect that people will click and credentials will be compromised. There's not that much point in worrying about simulation accuracy. Put your resources into improving recovery, monitoring, and access restrictions.
WraithYourFace@reddit
I do this. We only have about 150 users and it 99% of the time its phishing. Some ERP systems for some reason send as HTML.
I also block .eml.and .msg since that's used all the time.
SiteMajestic2094@reddit
Hoxhunt
Skyhound555@reddit
I use SANS, it's a great tool.
You can automate a schedule for phishing tests and training campaign. It comes with a bunch of templates that you can use to impersonate common businesses or customize your own. You can also import the list of users and it will pull real names from that import, which you can reference in the template.
elatllat@reddit
Just block all URLs that are not on an allow list and call it done.
ThinkedThought@reddit
>>The hackers will at least grab real names from LinkedIn.
Knowbe4 has a place to enter as much details as possible for a user, and it will use that information in the emails. You just need to turn off the ones that don't, but there are plenty that do. For example, if you enter manager name, you can search manager_name in the templates section.
Vodor1@reddit
Part of the point, and probably the biggest one is for the phish to have something in it that the users can learn to spot to see if it’s out of place before blindly clicking on anything.
They may be predictable to you, but on the presumption you’re on the sysadmin sub you’re far more eagle eyed than your employees that believe it’s Black Friday every week because their email told them it was.
As long as the platform can let you make your own emails easy enough or the platform brings in modern templates then it’s good enough. Decent training is nice too.
TheCoffeeConsultant@reddit
As far as I've used, KnowBe4 is the best option still, primarily because you can try and spearphish your own users with it, which isn't true of the other platforms I've used, those being Breach Secure and IronScales.
To get more out of it I'd look at linkedin and your website and see what you come up with to better target your users with it.